The SHA-1 hashing algorithm, which is known to be weak due to advances in cryptographic attacks upon SHA-1 is being deprecated and replaced with SHA-2. GlobalSign strongly recommends users to migrate to SHA-2 certificates as soon as possible and will no longer offer SHA-1 certificates beginning in December of 2015.
GlobalSign is working hard to help its customers and partners with this migration, so we’ve created a strategy guide with tips and considerations to help with the transition.
1. Inventory Existing Certificates to Identify SHA-1 Certificates
Scan or inventory current certificates being used in your networks and determine how many certificates are using SHA-1. GlobalSign provides two options to help identify your certificates
Option 1: GlobalSign SSL Server Test
-
Go to https://globalsign.ssllabs.com/ and enter your domain.
-
The signature and expiration date are located under “Authentication” widget. If the signature lists SHA-1, you should reissue your certificate as soon as possible.
Option 2: Certificate Inventory Tool (CIT)
-
GlobalSign's CIT Tool can be run via an easy to use online portal for public facing certificates or as a local agent to inventory certificates across your entire network (internal and public), regardless of the issuing CA.
-
With a pre-built SHA-1 certificate report readily available, users can start locating SHA-1 certificates within minutes of using the tool.
2. Prioritize Certificate Replacement and Determine SHA-2 Support
Although GlobalSign recommends migrating all SHA-1 SSL Certificates as soon as possible we realize a prioritized approach may be the most feasible.
By Expiration Date
Focus on replacing SHA-1 Certificates with an expiration in 2017 first, then 2016 and sooner. The reason being is that Google has degraded the Chrome UI in phases beginning with certificates that expire after 2017, and in future releases a degraded UI for certificates expiring after 2016 will be displayed.
Public Facing
Focus on replacing certificates on externally accessible sites first since your public facing sites are at the most risk to lose trust due to the way Chrome browsers handle websites using SHA-1 certificates, sample below with Chrome 41.
Check out Google's blog to learn details about Google's policy to display warnings on sites that use SHA-1
SHA-2 Adoption
SHA-2 adoption is growing steadily and most commonly used browsers, servers, and applications already support SHA-2; however, there are still a few that do not. You’ll want to search for legacy applications and check if they support SHA-2. If possible, update non-supported applications and for those you can not update, determine what servers the legacy application connects to, and determine the impact.
If not public facing, you could utilize SHA-1 until you've had ample time to upgrade. Talk to GlobalSign about our IntranetSSL Certificates which allow you to issue SHA-1 certificates to internal servers off a non-public root.
3. Consider Splitting up Multi-Domain Certificates
If you use multiple SANs, Unified Communications, or Wildcard certificates consider splitting up the certificate into multiple certificates which would allow you to upgrade to SHA-2 for most uses and use (if required) SHA-1 for supporting legacy applications on ONLY the servers that the legacy applications need to connect to.